Cash machines infected with malicious USB sticks

An inside job? Surely bankers have enough money

Criminals have targeted cash machines, a report says, by cutting hole in the fascia to infect the machine with malicious code via USB sticks. The infected ATMs were then able to spit out notes on command.

Speakers at the hacker-themed Chaos Computing Congress in Hamburg described the attacks, which infected an unnamed European bank that noticed several cash machines were emptied entirely without the safe being damaged.

The bank in question increased security after the first attacks and were able to spot the gang drilling holes in the front of the machines before inserting a USB flash drive. Once the malware had been transferred they patched the holes up. This allowed the same machines to be targeted several times without the hack being discovered.

Profound knowledge

The gang would then return at a later date and instruct the compromised machine to dispense a specific amount of cash. They used a 12 digit code, followed by what was believed to be a failsafe to prevent individuals in the group from stealing money themselves. The correct response varied each time and the thief could only obtain the right code by phoning another gang member and telling them the numbers displayed.

Researchers, who asked not to be named, found that the software then showed how many of each denomination of banknote were in the machine, and asked how much of each it should dispense. This enabled the attackers to focus on the highest value banknotes and minimise their exposure.

They said that the gang must have had a "profound knowledge" of the workings of cash machines in order to develop and successfully install the software in such an efficient manner. However, they added that the approach did not extend to the software's filenames - the key one was called 'hack.bat'.